Google and Yahoo in China. Research in Motion in the UAE. Siemens in Iran. What do these companies have in common? In each of these cases, companies have become embroiled in cyber conflicts and more importantly, they are exposed to risk stemming from violations of international human rights or humanitarian laws.
In the emerging field of cyber warfare, experts are looking at the applicability of the rules of war (humanitarian law) for answers about how to manage conflict in the cyber battlefield. Questions about neutrality of countries when hostile Internet traffic passes through their data pipelines, responses to cyber attacks when the actual culprits are unknown and the proportionality of an attack and a response from the nation state subject to a cyber attack are all questions that remain largely unanswered. The impacts on innocent civilians from a debilitating attack on a country’s online infrastructure can be devastating (collapse of power grids, shut downs of electronic financial infrastructures, disruption of telecommunications) and can arguably lead to injuries and deaths. In the realm of international human rights law, questions about censorship of bloggers (Iran and China), invasion of privacy (UAE, India and Saudi Arabia) involving government intrusions into encrypted private email are evolving rapidly.
The challenge facing companies like Google, Yahoo, Siemens and RIM is how can they operate in regions of the world where human rights are at risk while continuing to do business in cyberspace?
So far, these and other companies have either ignored the human rights implications of their business activities or, in the case of these companies, attempted to balance the need for business expansion with a measure of responsibility to stakeholders. However, risks abound for these and other companies caught up in cyber conflict.
It is instructive to look at the current problems facing these companies around the world. “China’s estimated 338 million Internet users remain subject to the arbitrary dictates of state censorship. More than a dozen government agencies are involved in implementing a host of laws, regulations, policy guidelines, and other legal tools to try to keep information and ideas from the Chinese people. Various companies, including Google, Yahoo! and Microsoft, have enabled this system by blocking terms they believe the Chinese government will want them to censor,” notes Human Rights Watch.
“For RIM . . . security is one of the main advantages it touts over competitors. E-mails its customers send are encrypted and sent through RIM’s own servers and network operation centers . . . However, the system also makes it harder for governments to monitor BlackBerry communications than messages from other smartphones, which typically travel across the Internet. That has made RIM’s devices an issue for countries concerned mobile e-mail or messaging could be used to coordinate a terrorist attack or bring down a government,” reports Bloomberg.
Yet what remains unspoken is the fact that any expectation or protection of privacy is thrown out the window by these changes in government policies. Saudi Arabia and the UAE are not exactly bastions of human rights and India is not far behind when it comes to ignoring the rights of its citizens when state action is involved. In each of these instances, governments have framed their decisions to snoop into the private communications of cell phone users as a matter of national security.
In the realm of cyber warfare, recent reports of the Stuxnet computer worm, which some experts suggest was designed specifically to attack the Bushehr nuclear reactor in Iran, accomplishes its task by targeting systems controllers manufactured by Siemens. While some suggest that Stuxnet may have played itself out after attacking a massive number of computer systems, most of which are located in Iran, there is legitimate concern that new zero-day attacks will wreck far greater havoc. Of course, this has triggered considerable debate in the global IT community about cyber warfare, retaliation and massive cyber defense responses. This has, in turn, led to a massive build up of the cyber security industry here in the U.S.
This all leads to the basic question. How are the rights of ordinary people in China, Iran, India and the United States for that matter protected from the cyber aggression of their own governments and from nation states bent on cyber aggression? Equally important, what are the risks to companies complicit in these and other scenarios that are certain to emerge in the coming months and years?
For each of the companies involved in these recent conflicts, their responses have been measured but not without their detractors. However, the voices of concern over human rights in the cases of Google, Yahoo and RIM have been largely drowned out by business and consumer concerns over loss of access. The visceral addiction of rabid Blackberry addicts speaks, at least anecdotally, to the lack of protest over these governments actions and the company’s responses. While Siemens has been a victim of sorts of the Stuxnet worm, the failure of its control systems poses real risks from the catastrophic harms inflicted on those affected by system failures to power systems and other public services.
Today, there is a growing need for developing a body of law that speaks to these concerns and a greater awareness of the need for corporate accountability in the virtual realm. Given that many of the current treaties addressing war and human rights were crafted long before the advent of the Internet, there is considerable uncertainty in the law. This leaves companies somewhat in the lurch in respect to their business conduct with the uncertainty of the law exposing them to unforeseen risks in the coming years.
As a child, I remember playing “war” with my friends. Epic battles played out in our backyards with imaginary casualties lying at the feet of victorious warriors in paper hats. Unfortunately, many years later not much has changed in the minds of many otherwise reasoned thinkers.
